Methods, systems, and products for authentication of users

ABSTRACT

Methods, systems, and products authenticate users for access to devices, applications, and services. Skills of a user are learned over time, such that an electronic model of random subject matter may be generated. The user is prompted to interpret the random subject matter, such as with an electronic drawing. The user&#39;s interpretation is then compared to the electronic model of the random subject matter. If the user&#39;s interpretation matches the electronic model, the user may be authenticated.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.14/266,889 filed May 1, 2014 and since issued as U.S. Pat. No.9,083,694, which is a continuation of U.S. application Ser. No.13/647,435 filed Oct. 9, 2012 and since issued as U.S. Pat. No.8,752,151, with both applications incorporated herein by reference intheir entireties.

BACKGROUND

Authentication is common. People often input a username and password toaccess a device, website, or service. As we are all too aware, though,text-based authentication is vulnerable to hackers.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The features, aspects, and advantages of the exemplary embodiments areunderstood when the following Detailed Description is read withreference to the accompanying drawings, wherein:

FIG. 1 is a simplified schematic illustrating an environment in whichexemplary embodiments may be implemented;

FIG. 2 is a more detailed schematic illustrating an operatingenvironment, according to exemplary embodiments;

FIGS. 3-6 are schematics illustrating a learning session, according toexemplary embodiments;

FIGS. 7-12 are schematics illustrating authentication based on modelsfrom skills, according to exemplary embodiments;

FIGS. 13-19 are more schematics illustrating authentication based onmodels from skills, according to exemplary embodiments;

FIG. 20 is a schematic illustrating a rejection of the random subjectmatter, according to exemplary embodiments;

FIGS. 21-23 are schematics illustrating a database of subject matter,according to exemplary embodiments;

FIGS. 24-25 are schematics illustrating local authentication, accordingto exemplary embodiments;

FIG. 26 is a schematic illustrating authentication using physicalbuilding blocks, according to exemplary embodiments;

FIG. 27 is a schematic illustrating gesture-based authentication,according to exemplary embodiments;

FIGS. 28-30 are flowcharts illustrating a method or algorithm forauthenticating users, according to exemplary embodiments; and

FIGS. 31-32 depict still more operating environments for additionalaspects of the exemplary embodiments.

DETAILED DESCRIPTION

The exemplary embodiments will now be described more fully hereinafterwith reference to the accompanying drawings. The exemplary embodimentsmay, however, be embodied in many different forms and should not beconstrued as limited to the embodiments set forth herein. Theseembodiments are provided so that this disclosure will be thorough andcomplete and will fully convey the exemplary embodiments to those ofordinary skill in the art. Moreover, all statements herein recitingembodiments, as well as specific examples thereof, are intended toencompass both structural and functional equivalents thereof.Additionally, it is intended that such equivalents include bothcurrently known equivalents as well as equivalents developed in thefuture (i.e., any elements developed that perform the same function,regardless of structure).

Thus, for example, it will be appreciated by those of ordinary skill inthe art that the diagrams, schematics, illustrations, and the likerepresent conceptual views or processes illustrating the exemplaryembodiments. The functions of the various elements shown in the figuresmay be provided through the use of dedicated hardware as well ashardware capable of executing associated software. Those of ordinaryskill in the art further understand that the exemplary hardware,software, processes, methods, and/or operating systems described hereinare for illustrative purposes and, thus, are not intended to be limitedto any particular named manufacturer.

As used herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless expressly stated otherwise. Itwill be further understood that the terms “includes,” “comprises,”“including,” and/or “comprising,” when used in this specification,specify the presence of stated features, integers, steps, operations,elements, and/or components, but do not preclude the presence oraddition of one or more other features, integers, steps, operations,elements, components, and/or groups thereof. It will be understood thatwhen an element is referred to as being “connected” or “coupled” toanother element, it can be directly connected or coupled to the otherelement or intervening elements may be present. Furthermore, “connected”or “coupled” as used herein may include wirelessly connected or coupled.As used herein, the term “and/or” includes any and all combinations ofone or more of the associated listed items.

It will also be understood that, although the terms first, second, etc.may be used herein to describe various elements, these elements shouldnot be limited by these terms. These terms are only used to distinguishone element from another. For example, a first device could be termed asecond device, and, similarly, a second device could be termed a firstdevice without departing from the teachings of the disclosure.

FIG. 1 is a simplified schematic illustrating an environment in whichexemplary embodiments may be implemented. FIG. 1 illustratesauthentication of a client device 20 to an authentication server 22. Theclient device 20, for simplicity, is illustrated as a smart phone 24.The client device 20 and the authentication server 22 may communicateover a communications network 26. A user of the client device 20 wishesto access some service, application, or features for whichauthentication is needed. While the user may input a username andpassword, exemplary embodiments utilize a graphical, sketch-basedauthentication procedure. That is, the user of the client device 20 isprompted to draw or sketch a picture 28. The picture 28 may be sent tothe authentication server 22. The authentication server 22 may theninspect the picture 28 drawn by the user of the client device 20. If thepicture 28 drawn by the user satisfies an authentication procedure 30,then the user is authenticated by the authentication server 22. Theuser, in other words, is permitted to access the service, application,or features for which authentication is needed. If the picture 28 doesnot satisfy the authentication procedure 30, then the user may be deniedaccess.

Here, authentication utilizes the sketching skills 32 of the user. Whenthe user of the client device 20 wishes to authenticate, the user isinstructed to draw random subject matter 34. The random subject matter34 may be selected by the authentication server 22 and/or by the clientdevice 20. Regardless, the user then draws a sketch 36 of the randomsubject matter 34. The user, for example, uses their finger, fingernail,or a stylus to draw the sketch 36 on a touch screen 38 of the smartphone 24. The client device 20 sends data 40 describing the sketch 36 tothe authentication server 22.

The data 40 may then be compared to a freehand model 42. The freehandmodel 42 is an electronic recreation of the random subject matter 34generated from the sketching skills 32 associated with the user. Thefreehand model 42, in other words, predicts what the random subjectmatter 34 should look like, using the user's known sketching skills 32.As the user interacts with the authentication server 22, theauthentication server 22 learns the user's sketching skills 32 overtime. So, the user's sketch 36 (as represented by the data 40) iscompared to the freehand model 42 predicted by the user's knownsketching skills 32. If the data 40 matches the freehand model 42predicted from the user's known sketching skills 32, then the user maybe authenticated. If data 40 does not match the freehand model 42, thenauthentication may fail.

Exemplary embodiments thus eliminate cumbersome, conventionalauthentication schemes. Users no longer need to remember cumbersomepasswords. Security concerns are greatly reduced, as the user need notfear nefarious use of stolen passwords. Occurrences of identity theftare thus reduced.

FIG. 2 is a more detailed schematic illustrating an operatingenvironment, according to exemplary embodiments. The user's clientdevice 20 may have a processor 50 (e.g., “μP”), application specificintegrated circuit (ASIC), or other component that executes aclient-side authentication algorithm 52 stored in a local memory 54. Theauthentication server 22 may also have a processor 60 (e.g., “μP”),application specific integrated circuit (ASIC), or other component thatexecutes a server-side authentication algorithm 62 stored in a localmemory 64. The client-side authentication algorithm 52 and/or theserver-side authentication algorithm 62 include instructions, code,and/or programs that authenticate the user of the client device 20. Theuser may be authenticated solely by either the client-sideauthentication algorithm 52 or the server-side authentication algorithm62. However, the client-side authentication algorithm 52 and theserver-side authentication algorithm 62 may cooperate in a client-serverrelationship to authenticate the user.

Exemplary embodiments may be applied regardless of networkingenvironment. As the above paragraphs mentioned, the communicationsnetwork 26 may be a wireless network having cellular, WI-FI®, and/orBLUETOOTH® capability. The communications network 26, however, may be acable network operating in the radio-frequency domain and/or theInternet Protocol (IP) domain. The communications network 26, however,may also include a distributed computing network, such as the Internet(sometimes alternatively known as the “World Wide Web”), an intranet, alocal-area network (LAN), and/or a wide-area network (WAN). Thecommunications network 26 may include coaxial cables, copper wires,fiber optic lines, and/or hybrid-coaxial lines. The communicationsnetwork 26 may even include wireless portions utilizing any portion ofthe electromagnetic spectrum and any signaling standard (such as theIEEE 802 family of standards, GSM/CDMA/TDMA or any cellular standard,and/or the ISM band). The communications network 26 may even includepowerline portions, in which signals are communicated via electricalwiring. The concepts described herein may be applied to anywireless/wireline communications network, regardless of physicalcomponentry, physical configuration, or communications standard(s).

FIGS. 3-6 are schematics illustrating a learning session 70, accordingto exemplary embodiments. Before the user can be authenticated,exemplary embodiments may need to learn the user's sketching skills 32.If the authentication server 22 is going to predict the user'sauthentication sketches, the authentication server 22 must learn theuser's sketching skills 32. During the learning session 70, the user maybe repetitively prompted to draw one, several, or many pictures ofdifferent scenes, places, and/or things. The user, for example, mayfirst be asked to draw a sunset. The user then submits the sketch 36 oftheir interpretation of the sunset. The user may then be instructed todraw a bicycle, then a flowerpot, then a lamppost. For each prompt theuser sketches their interpretation of the requested task. Thisprompt-and-sketch routine is repeated as long as necessary until thesketching skills 32 of the user are learned.

FIG. 3 thus illustrates the learning session 70. The authenticationserver 22 accesses a database 72 of subject matter. The database 72 ofsubject matter stores one or more listings of subject matter forauthentication purposes. The database 72 of subject matter isillustrated as being locally stored in the authentication server 22, butthe database 72 of subject matter may be remotely stored and accessedfrom any network location. Regardless, FIG. 3 illustrates the database72 of subject matter as a listing 74 of nouns. The listing 74 of nounsmay be any listing of persons, places, and/or things that theauthenticating user may be required to draw. The listing 74 of nouns,for example, may include “bowl,” “chair,” “fire hydrant,” “globe,”“tree,” and “truck.” While FIG. 3 only illustrates several entries inthe listing 74 of nouns, in practice the listing 74 of nouns may havehundreds or thousands of entries. The server-side authenticationalgorithm 62 instructs the processor (illustrated as reference numeral60 in FIG. 2) to query the database 72 of subject matter to obtain therandom subject matter 34. The database 72 of subject matter randomlyselects an entry 76 from the listing 74 of nouns. The database 72 ofsubject matter then responds with the random subject matter 34.

FIG. 4 illustrates prompts for the random subject matter 34. Once theauthentication server 22 receives the random subject matter 34, the useris prompted to draw the random subject matter 34. The server-sideauthentication algorithm 62 sends a capture instruction 80 to the user'sclient device 20. The capture instruction 80 routes along thecommunications network 26 to a network address associated with theuser's client device 20. When the capture instruction 80 is received,the client-side authentication algorithm 52 inspects the captureinstruction 80 for the random subject matter 34. The client-sideauthentication algorithm 52 then instructs the processor (illustrated asreference numeral 50 in FIG. 2) to generate a prompt 82 to draw therandom subject matter 34. The prompt 82, for example, is produced by thetouch screen 38 on the user's smart phone 24. The user then proceeds todraw the random subject matter 34 using a fingernail, stylus, or otherinstrument. The client-side authentication algorithm 52 captures theuser's sketch 36 of the random subject matter 34. In this example, theuser's sketch 36 of the random subject matter 34 is captured as touchscreen data 84 by the user's smart phone 24.

FIG. 5 illustrates a database 90 of profiles. Once the user's sketch 36of the random subject matter 34 is captured, the touch screen data 84 issent to the authentication server 22. The client-side authenticationalgorithm 52 instructs the user's client device 20 to send the touchscreen data 84 to the network address associated with the authenticationserver 22. When the authentication server 22 receives the touch screendata 84, the server-side authentication algorithm 62 may stores thetouch screen data 84 in a profile 92. The profile 92 may store the touchscreen data 84 in association with a user identifier 94 and/or a deviceidentifier 96. The user identifier 94 may be any information thatuniquely identifies the user, such as a username. The user identifiermay also be a biometric fingerprint, a facial scan, a retina scan, orany other physical recognition. The device identifier 96 may be anyinformation that uniquely identifies the client device 20, such as amachine address, network address, or serial number. The server-sideauthentication algorithm 62 may also associate the touch screen data 84to the random subject matter 34. The server-side authenticationalgorithm 62, in other words, may now maintain associations between therandom subject matter 34, the user's corresponding sketch 36 (asrepresented by the touch screen data 84), the user identifier 94, and/orthe device identifier 96.

FIG. 6 thus illustrates the cyclic learning session 70. The server-sideauthentication algorithm 62 may repeatedly retrieve different randomsubject matter 34 from the database 72 of subject matter. The captureinstruction 80 is sent to the client device 20. The user is prompted todraw each random subject matter 34. Each of the user's sketches 36 iscaptured (such as by the touch screen data 84) and sent back to theauthentication server 22. The user's sketch 36 may then be associatedwith the random subject matter 34.

With several iterations the server-side authentication algorithm 62begins to acquire the user's sketching skills 32. As each sketch 36 isobtained, the server-side authentication algorithm 62 builds arepository of the different random subject matter 34 and the user'scorresponding sketches 36 (as represented by the touch screen data 84).The server-side authentication algorithm 62 performs a graphicalanalysis 100 to compare the different random subject matter 34 and theuser's responsive sketches 36. Over time the server-side authenticationalgorithm 62 acquires confidence in learning the user's sketching skills32. The server-side authentication algorithm 62 thus gains enoughinformation to predict how the user will sketch any subject matter. Thatis, whatever random subject matter 34 that the user is instructed todraw, the true user's response can be predicted from the sketchingskills 32. Indeed, over time with several or many iterations, thegraphical analysis 100 yields a highly accurate estimation of the user'ssketching skills 32.

The graphical analysis 100 may utilize any comparison. There are manyschemes that compare the different random subject matter 34 and theuser's responsive sketches 36. Exemplary embodiments, for example, maycompare slopes and arcs of lines to ascertain the user's sketchingskills 32. Right-handed people, for example, draw images with differentslants and arcs from left-handed people. When arcs and circles aredrawn, different artists have different starting and ending points.Linear velocities of lines and circles may also differ between users.Different users may have different measures of detail and/or complexityin their sketches 36. Different users utilize different depth andperspective in their respective sketches 36. The graphical analysis 100may thus utilize any measurement and/or comparison to estimate theuser's sketching skills 32.

FIGS. 7-12 are schematics illustrating cloud-based authentication,according to exemplary embodiments. Now that the user's sketching skills32 are learned, the user's sketching skills 32 may be applied toauthentication requests. As FIG. 7 illustrates, when the user of theclient device 20 wishes to authenticate, the client-side authenticationalgorithm 52 sends an authentication notification 110 to theauthentication server 22. Here the authentication notification 110identifies the device identifier 96 that wishes to authenticate. Thedevice identifier 96 is any information that uniquely identifies theclient device 20 wishing to authenticate. The authenticationnotification 110 routes via the communications network (illustrated asreference numeral 26 in FIG. 1) to the network address associated withthe authentication server 22. When the authentication server 22 receivesthe authentication notification 110, the server-side authenticationalgorithm 62 is alerted to an authentication attempt from the clientdevice 20. The server-side authentication algorithm 62 inspects theauthentication notification 110 for the device identifier 96.

The random subject matter 34 is then selected. The server-sideauthentication algorithm 62 instructs the authentication server 22 toquery the database 72 of subject matter for the random subject matter34. The database 72 of subject matter then responds with the randomsubject matter 34. The server-side authentication algorithm 62 instructsthe authentication server 22 to send an authentication instruction 112to the client device 20. The authentication instruction 112 includesinformation that identifies the random subject matter 34 selected by thedatabase 72 of subject matter. The authentication instruction 112 routesvia the communications network 26 to the network address associated withthe requesting client device 20.

FIG. 8 illustrates the prompt 82 for the random subject matter 34. Whenthe client device 20 receives the authentication instruction 112, theclient-side authentication algorithm 52 inspects the authenticationinstruction 112 for the random subject matter 34. The client device 20generates the prompt 82 to draw the random subject matter 34. FIG. 8again illustrates the prompt 82 produced by the touch screen 38 on theuser's smart phone 24. The prompt 82 visually presents a textual version114 of the random subject matter 34 (such as “Please draw a hamburger toauthenticate”).

FIG. 9 illustrates a capture of the user's sketch 36. Once the prompt 82is presented, the user begins drawing her version of the random subjectmatter 34. The user places her fingernail or stylus to the touch screen38 and proceeds to draw her interpretation of the random subject matter34. The client-side authentication algorithm 52 captures the user'ssketch 36 as the touch screen data 84. When the user's sketch 36 iscomplete, the user may touch or click some icon (such as a “Done”graphical control 116). The user may also make a different input, suchas a “double tap” on the touch screen 38. Regardless, the user informsthe client-side authentication algorithm 52 that the sketch 36 iscomplete. The touch screen data 84 is then electronically captured andstored at least temporarily in the memory of the client device 20.

Exemplary embodiments may also guide the user. When the client device 20generates the prompt 82 to draw the random subject matter 34, the prompt82 may also help the user draw her interpretation of the random subjectmatter 34. Instead of merely displaying the textual version 114 of therandom subject matter 34 (such as “Please draw a hamburger toauthenticate”), exemplary embodiments may partially display some of therandom subject matter 34. The prompt 82 would then instruct the user tocomplete the drawing. For example, if the random subject matter 34 isthe “hamburger,” then exemplary embodiments may graphically illustrate abun on the touch screen 38. The prompt 82 may then instruct the user tocomplete the drawing, with or without revealing the random subjectmatter 34. The user may then draw, or fill in, the details thataccompany her interpretation of the random subject matter 34. Theclient-side authentication algorithm 52 then captures the user's sketch36 as the touch screen data 84.

FIG. 10 illustrates an authentication request 120. Once the user'ssketch 36 of the random subject matter 34 is captured, exemplaryembodiments send the touch screen data 84 to the authentication server22. The client-side authentication algorithm 52 instructs the clientdevice 20 to send the authentication request 120. The authenticationrequest 120 routes along the communications network (illustrated asreference numeral 26 in FIG. 1) to the network address associated withthe authentication server 22. Here, though, the authentication request120 may also include the touch screen data 84 and the device identifier96 that wishes to authenticate. When the authentication server 22receives the authentication request 120, the server-side authenticationalgorithm 62 may now authenticate the client device 20.

FIG. 11 illustrates the authentication. The server-side authenticationalgorithm 62 needs to determine if the user's sketch 36, represented bythe touch screen data 84, is truly the artistic work expected from theclient device 20 (e.g., the device identifier 96). So, beforeauthentication can be performed, the server-side authenticationalgorithm 62 may predict what to graphically expect from the clientdevice 20.

Exemplary embodiments may thus retrieve the user's sketching skills 32.Because the device identifier 96 identifies the client device 20 thatwishes to authenticate, the server-side authentication algorithm 62queries the database 90 of profiles for the device identifier 96 thatwishes to authenticate. Here, though, the database 90 of profilesretrieves and responds with the sketching skills 32 associated with thedevice identifier 96.

The freehand model 42 may now be built. As earlier paragraphs explained,the sketching skills 32 describe the freehand sketching capabilitiesassociated with the device identifier 96. The server-side authenticationalgorithm 62 may thus use the sketching skills 32 to generate thefreehand model 42. The client-side authentication algorithm 52 may callor invoke a graphing program 130 that generates the freehand model 42 ofthe random subject matter 34, using the sketching skills 32 associatedwith the device identifier 96 wishing to authenticate. Exemplaryembodiments, in other words, may generate an electronic representationof the same random subject matter 34, using the sketching skills 32 ofthe true person wishing to authenticate.

The user's sketch 36 may now be compared. The server-side authenticationalgorithm 62 compares the touch screen data 84 to the freehand model 42generated from the sketching skills 32 of the true person wishing toauthenticate. The server-side authentication algorithm 62 may use anygraphical comparison 132 to determine a similarity 134 between the touchscreen data 84 and the freehand model 42. If the user is truly who shepurports to be, then her touch screen data 84 will sufficiently matchthe freehand model 42 generated from her own sketching skills 32. If hertouch screen data 84 does not match the freehand model 42, then perhapsan imposter or rogue is attempting to authenticate.

The similarity 134 may thus be compared to a threshold 136. Thesimilarity 134 may be any measurement of how closely the touch screendata 84 matches the freehand model 42. The graphical comparison 132, forexample, may measure the similarity 134 between shapes and/or style. Thegraphical comparison 132 may additionally or alternatively measure avelocity of strokes, direction of strokes, and/or pressure or force ofstrokes. Starting locations, ending locations, and/or transitionlocations may be compared. However the similarity 134 is measured, thesimilarity 134 may be compared to the threshold 136. The threshold 136may be any value, or values, that define or determine a minimumsimilarity 134 between the touch screen data 84 and the freehand model42. The threshold 136, for example, may be an error function thatgenerates a maximum error between the user's sketch 36 (using the touchscreen data 84) and the freehand model 42 generated from the sketchingskills 32. If the user is truly who she purports to be, then her touchscreen data 84 will match, satisfy, or equal the freehand model 42 towithin the threshold 136. If her touch screen data 84 does not match thefreehand model 42, then the authentication may fail.

FIG. 12 illustrates an authentication response 138. Once the graphicalcomparison 132 is complete, the server-side authentication algorithm 62makes an authentication decision 140. If the similarity 134 satisfiedthe threshold 136, then the authentication decision 140 may be anaffirmation or permission. If the similarity 134 fails to satisfy thethreshold 136, then the authentication decision 140 may be a denial ofaccess. The authentication decision 140 is sent from the authenticationserver 22 as the authentication response 138. The authenticationresponse 138 communicates to the network address associated with therequesting client device 20. When the client device 20 receives theauthentication response 138, the client-side authentication algorithm 52also obtains the authentication decision 140. If the authenticationdecision 140 is the affirmation, then the client-side authenticationalgorithm 52 may access whatever permissions are available from theauthentication server 22. If the client-side authentication algorithm 52obtains the denial, though, then authentication failed.

FIGS. 13-19 are more schematics illustrating authentication, accordingto exemplary embodiments. Here authentication may be based on the useridentifier 94 associated with the user. Many computers, tablets, andother client devices are shared by multiple users (such as members of ahousehold). Exemplary embodiments may thus also authenticate differentusers that share the same client device 20. The current user of theclient device 20 inputs their unique user identifier 94, such as ausername. The user identifier 94, though, may also be a biometricidentifier, such as a scan of a fingerprint, face, or retina.

The learning session 70, though, is repeated for each different user.Because the client device 20 may be shared, each different user may thushave some login credential, such as the user identifier 94. The userlogs on to the client device 20 and completes the learning session 70 torecursively learn the user's sketching skills 32. Whenever any sharinguser wishes to authenticate, the graphical sketch-based authenticationmay proceed. Many details of this shared-device authentication are thesame, so the similar details are only briefly reviewed.

FIG. 14 thus illustrates the authentication notification 110. When oneof the sharing users wishes to authenticate, the client-sideauthentication algorithm 52 sends the authentication notification 110 tothe authentication server 22. Here, though, the authenticationnotification 110 includes the user identifier 94 associated with thecurrent user of the client device 20. When the authentication server 22receives the authentication notification 110, the server-sideauthentication algorithm 62 is alerted to an authentication attempt fromthe current user of the client device 20. The server-side authenticationalgorithm 62 inspects the authentication notification 110 for the useridentifier 94.

The random subject matter 34 is then selected. The server-sideauthentication algorithm 62 queries the database 72 of subject matterfor the random subject matter 34. The database 72 of subject matterrandomly selects one of its entries (illustrated as reference numeral 76from the listing 74 of nouns in FIG. 13). The database 72 of subjectmatter responds to the query with the random subject matter 34, and theauthentication server 22 sends the authentication instruction 112 to theclient device 20.

FIG. 15 illustrates the prompt 82 for the random subject matter 34. Whenthe client device 20 receives the authentication instruction 112, theclient-side authentication algorithm 52 inspects the authenticationinstruction 112 for the random subject matter 34. The client-sideauthentication algorithm 52 causes the client device 20 to generate theprompt 82 to draw the random subject matter 34. FIG. 15 againillustrates the prompt 82 produced by the touch screen 38 on the user'ssmart phone 24. The prompt 82 visually presents the textual version 114of the random subject matter 34 (e.g., “Please draw a hamburger toauthenticate”).

The user's sketch 36 is captured. As FIG. 16 illustrates, the user drawsher version of the random subject matter 34. The client-sideauthentication algorithm 52 captures the user's sketch 36 as the touchscreen data 84. The touch screen data 84 is stored in the memory of theclient device 20.

FIG. 17 illustrates the authentication request 120. Once the user'ssketch 36 of the random subject matter 34 is captured, exemplaryembodiments send the touch screen data 84 to the authentication server22. The authentication request may include the touch screen data 84 andthe user identifier 94 associated with the current user of the clientdevice 20. When the authentication server 22 receives the authenticationrequest 120, the server-side authentication algorithm 62 may nowauthenticate the current user of the client device 20.

FIG. 18 illustrates the authentication. The server-side authenticationalgorithm 62 determines if the user's sketch 36, represented by thetouch screen data 84, is truly the artistic work expected from the useridentifier 94. So, the server-side authentication algorithm 62 queriesthe database 90 of profiles for the user identifier 94 that wishes toauthenticate. The database 90 of profiles retrieves and responds withthe sketching skills 32 associated with the user identifier 94.

The freehand model 42 is built. As earlier paragraphs explained, thesketching skills 32 describe the freehand sketching capabilitiesassociated with the user identifier 94. The server-side authenticationalgorithm 62 may thus use the sketching skills 32 to generate thefreehand model 42. The server-side authentication algorithm 62 may callor invoke the graphing program 130 that generates the freehand model 42of the random subject matter 34, using the sketching skills 32associated with the user identifier 94 wishing to authenticate.

The user's sketch 36 may now be compared. The server-side authenticationalgorithm 62 compares the touch screen data 84 to the freehand model 42generated from the sketching skills 32 associated with the useridentifier 94. The server-side authentication algorithm 62 may performthe graphical comparison 132 to determine the similarity 134 between thetouch screen data 84 and the freehand model 42. If the user is truly whoshe logged in as (e.g., the user identifier 94), then her touch screendata 84 will sufficiently match the freehand model 42 generated from herown sketching skills 32, perhaps within the threshold 136. If her touchscreen data 84 does not match the freehand model 42, then perhaps animposter or rogue is attempting to authenticate.

FIG. 19 illustrates the authentication response 138. Once the graphicalcomparison 132 is complete, the server-side authentication algorithm 62makes the authentication decision 140. If the similarity 134 satisfiedthe threshold 136, then the authentication decision 140 may be theaffirmation, thus allowing the client device 20 to access services andfeatures. If the similarity 134 fails to satisfy the threshold 136, thenthe authentication decision 140 may be the denial. The authenticationserver 22 sends the authentication decision 140 as the authenticationresponse 138. When the client device 20 receives the authenticationresponse 138, the client-side authentication algorithm 52 also obtainsthe authentication decision 140. If the authentication decision 140 isthe affirmation, then the client-side authentication algorithm 52 mayaccess whatever permissions are available from the authentication server22. If the client-side authentication algorithm 52 obtains the denial,though, then authentication failed.

FIG. 20 is a schematic illustrating a rejection 150 of the randomsubject matter 34, according to exemplary embodiments. Here exemplaryembodiments may determine that the random subject matter 34, selectedfrom the database 72 of subject matter, is too complicated for thesketching skills 32 of the authenticating user. As earlier paragraphsexplained, when the authentication server 22 receives the authenticationnotification 110 from the client device 20, the authentication server 22is alerted to an authentication attempt by the user of the client device20. The authentication server 22 then queries for the random subjectmatter 34.

Here the authentication server 22 may compare the random subject matter34 to the sketching skills 32 of the authenticating user. As FIG. 20illustrates, the random subject matter 34 may have an associated level152 of difficulty. That is, each entry 76 in the database 72 of subjectmatter may have the associated level 152 of difficulty. Each level 152of difficulty represents any measurement or evaluation of how hard thecorresponding random subject matter 34 is to draw. Exemplaryembodiments, then, may assign numerical values to different levels 152of difficulties. Complicated subject matter, for example, may have ahigh level 152 of difficulty on a spectrum 154 of difficulty. Easysubject matter, though, may have a low level 152 of difficulty on thespectrum 154 of difficulty.

Each user's sketching skills 32, likewise, may also have an associatedlevel 156 of capability. The level 156 of capability represents anymeasurement or evaluation of the corresponding user's ability to drawpictures. The user's sketching skills 32 may be evaluated and assignedthe level 156 of capability on a spectrum 158 of capability. Exemplaryembodiments, then, may assign numerical values to different levels 156of capability. If the user's sketching skills 32 are determined to behighly capable, then the user's level 156 of capability may be highlyranked on the spectrum 158 of capability. If the user's sketching skills32 are determined to be unskilled or incapable, then the user's level156 of capability may be lowly ranked on the spectrum 158 of capability.Exemplary embodiments may thus compare the random subject matter 34 tothe sketching skills 32 of the authenticating user.

The level 152 of difficulty may be compared to the user's level 156 ofcapability. If the level 152 of difficulty exceeds the user's level 156of capability, the server-side authentication algorithm 62 may havediscretion to reject or decline the random subject matter 34 retrievedfrom the database 72 of subject matter. The random subject matter 34 maybe too complicated, or beyond the capabilities, of the authenticatinguser. If the random subject matter 34 is too complicated, authenticationmay be too inaccurate for reliable results. The server-sideauthentication algorithm 62 may, instead, query the database 72 ofsubject matter for another, second random subject matter 34. Indeed, thequery may specify the user's level 156 of capability, thus instructingthe database 72 of subject matter to only retrieve entries 76 having thelevel 152 of difficulty as less than or equal to the user's level 156 ofcapability.

Exemplary embodiments may also compute a difference 160. When the randomsubject matter 34 is retrieved from the database 72 of subject matter,the server-side authentication algorithm 62 may compute the difference160 between the user's level 156 of capability and the level 152 ofdifficulty assigned to the random subject matter 34. That is, thenumerical difference 160 may be computed fromL _(Capability) −L _(Difficulty) =L _(Dif),where L_(Capability) denotes the user's level 156 of capability andL_(Difficulty) is the level 152 of difficulty assigned to the randomsubject matter 34. If L_(Dif) is zero (0) or positive, then the randomsubject matter 34 may be within the sketching skills 32 of the user.When, however, L_(Dif) is negative, the random subject matter 34 may betoo complicated for the sketching skills 32 of the user. Differentrandom subject matter 34 may need to be chosen.

FIGS. 21-22 are schematics further illustrating the database 72 ofsubject matter, according to exemplary embodiments. Here the database 72of subject matter may store the listing 74 of nouns and a listing 170 ofverbs. As an earlier paragraph explained, the listing 74 of nouns may beany listing of persons, places, and/or things that the authenticatinguser may be required to draw. The listing 170 of verbs may be anylisting of action words and/or modifiers. The listing 170 of verbs, forexample, may include “running,” “sleeping,” “driving,” and “planting.”When the database 72 of subject matter is queried for the random subjectmatter 34, exemplary embodiments may select an entry 76 from both thelisting 74 of nouns and the listing 170 of verbs. That is, the database72 of subject matter randomly selects the entry 76 from the listing 74of nouns and another random entry 172 from the listing 170 of verbs. Thedatabase 72 of subject matter then pairs the two randomly selectedentries 76 and 172 as the random subject matter 34. As FIG. 21illustrates, the database 72 of subject matter, for example, mayretrieve “tractor” as the entry 76 from the listing 74 of nouns and“firing” as the another random entry 172 from the listing 170 of verbs.The database 72 of subject matter then pairs “tractor” and “firing” as“tractor firing” to create the random subject matter 34. Theauthentication instruction 112 is then sent, and the authenticating useris then prompted to draw “tractor firing,” as this disclosure earlierexplained.

Some pairings, however, may seem senseless. The exemplary pairing“tractor firing” may make little lexical sense. Indeed, some pairings(such as “ball sleeping” or “tree driving”) may be difficult toconceptualize and draw. Still, though, exemplary embodiments may promptthe user to draw whatever pairing is selected by the database 72 ofsubject matter. Alternatively, exemplary embodiments may only pair nounand verb combinations that have recognized lexical usage and/orlinguistic meaning Some nouns, in other words, may only have a limitednumber of possible pairings with verbs that have linguistic meaning.

FIG. 22 thus illustrates predefined noun and verb pairings. Here thedatabase 72 of subject matter may store a listing 180 of noun-verbpairings. Each entry 76 in the listing 180 of noun-verb pairings is apre-selected noun-verb combination that is lexically or linguisticallyrecognized. While some noun-verb pairings may have greater usage ormeaning, the noun-verb pairings are chosen for authentication purposes.The database 72 of subject matter retrieves one of the noun-verbpairings as the random subject matter 34. The authenticating user isthen prompted to draw the noun-verb pairing, as this disclosure earlierexplained.

FIG. 23 is a schematic further illustrating the database 72 of subjectmatter, according to exemplary embodiments. Here the database 72 ofsubject matter may be remotely located and accessed from any location inthe communications network 26. FIG. 23, for example, illustrates thedatabase 72 of subject matter being stored in memory of a remote server190. The remote server 190 has a microprocessor, ASIC, or other hardwarecomponent that manages queries to, and responses from, the database 72of subject matter. When the authentication server 22 needs the randomsubject matter 34, the server-side authentication algorithm 62 causesthe authentication server 22 to send a query 192 to the database 72 ofsubject matter. The query 192 routes through the communications network26 to the network address associated with the remote server 190. Thedatabase 72 of subject matter retrieves the random subject matter 34 andsends a response 194.

FIGS. 24-25 are schematics illustrating local authentication, accordingto exemplary embodiments. Earlier paragraphs explained how the clientdevice 20 may use the remote authentication server 22 for cloud-based,authentication services. Here, exemplary embodiments include a localsolution in which the client device 20 itself authenticates the user.

FIG. 24 illustrates the learning session 70. Here the client device 20learns the user's sketching skills 32. Once again the user isrepetitively prompted to draw pictures of different scenes, places,and/or things. This prompt-and-sketch routine is repeated as long asnecessary until the sketching skills 32 of the user are learned. FIG. 24illustrates the database 72 of subject matter being locally stored inthe client device 20, but the database 72 of subject matter may beremotely stored and accessed (as FIG. 23 illustrated). The client-sideauthentication algorithm 52 recursively prompts the user to draw therandom subject matter 34. The client-side authentication algorithm 52queries the database 72 of subject matter for the random subject matter34. The client-side authentication algorithm 52 generates the prompt 82to draw the random subject matter 34, and the user creates the sketch 36of the random subject matter 34. The client-side authenticationalgorithm 52 captures the data 40 that describes the user's sketch 36(perhaps as the touch screen data 84).

The database 90 of profiles may also be locally stored. Once the user'ssketch 36 of the random subject matter 34 is captured, the touch screendata 84 may be stored in the user's profile 92. Because the clientdevice 20 may be shared among multiple users, each different user mayestablish their own profile 92. The profile 92 associates the touchscreen data 84 with the user identifier 94 of the user. The client-sideauthentication algorithm 52 may also associate the touch screen data 84to the random subject matter 34.

This learning session 70 repeats. The client-side authenticationalgorithm 52 may repeatedly retrieve different random subject matter 34from the database 72 of subject matter. The user is prompted to draweach random subject matter 34. Each of the user's sketches 36 iscaptured (such as by the touch screen data 84) and stored in the user'sprofile 92. The user's sketch 36 may then be associated with the randomsubject matter 34. This cyclic learning session 70 is repeated until theuser's sketching skills 32 are determined.

FIG. 25 illustrates authentication. Now that the user's sketching skills32 are learned, the user's sketching skills 32 may be applied toauthentication requests. When the current user of the client device 20wishes to authenticate, the client-side authentication algorithm 52queries the database 72 of subject matter for the random subject matter34. The database 72 of subject matter selects the random subject matter34, and the client-side authentication algorithm 52 instructs theprocessor 50 to generate the prompt 82. The prompt 82 is visuallydisplayed on a display device 200 (such as the touch screen 38 of thesmart phone 24, illustrated in FIG. 1), and the prompt 82 instructs theuser to draw the random subject matter 34 (such as “Please draw a‘hamburger’ to authenticate,” as previously explained and illustrated).The user draws the random subject matter 34, and the data 40 (such asthe touch screen data 84) is captured. The client-side authenticationalgorithm 52 retrieves the sketching skills 32 associated with the useridentifier 94. The client-side authentication algorithm 52 generates thefreehand model 42 of the random subject matter 34, using the sketchingskills 32 associated with the user identifier 94 wishing toauthenticate. The client-side authentication algorithm 52 compares thedata 40 to the freehand model 42 using the graphical comparison 132. Thesimilarity 134 is determined and compared to the threshold 136. If thesimilarity 134 satisfies the threshold 136, then the client-sideauthentication algorithm 52 may authenticate the user. If the similarity134 does not satisfy the threshold 136, then the authentication mayfail.

Exemplary embodiments may use two-dimensional and three-dimensionalimages. When the user is prompted to draw the random subject matter 34,exemplary embodiments may request a 2-D or 3-D rendering. If the user isprompted to draw a “house,” for example, the user may be required todraw a two-dimensional “house” or a three-dimensional, isometric“house.” Similarly, the freehand model 42 of the random subject matter34 may also be generated in two-dimensions or three-dimensions.

FIG. 26 is a schematic illustrating authentication using physicalbuilding blocks, according to exemplary embodiments. As computingadvances, the inventors foresee increased use and popularity of surfacecomputing. Here the client device 20 is illustrated as a surfacecomputer 210 having an interactive display 212. One or more legs 214 maysupport the surface computer 210, such that the interactive display 212is generally flat or horizontal like a table. The interactive display212, however, may have any orientation. Regardless, a designer,architect, or other user may place physical building blocks 216 onto theinteractive display 212. The user arranges the building blocks 216 intoa physical model 218 of any structure. The building blocks 216 may havea variety of shapes, thus allowing the user to build models ofbuildings, cars, component parts, or any other structure. As the userplaces and/or stacks the building blocks 216, an internal camera 220peers upward through the interactive display 212 and captures digitalpictures of an arrangement of the building blocks 216. The surfacecomputer 210 analyzes the digital pictures and maps a location andidentity of each building block 216. The surface computer 210 may thuscreate a computer model of the physical model 218 built atop theinteractive display 212. Because surface computers are known to those ofordinary skill in the art, this disclosure need not provide a detailedexplanation.

The physical building blocks 216 may be used for authentication. Whenthe user wishes to authenticate, the user may be prompted to arrange thebuilding blocks 216 into the random subject matter 34. That is, thesurface computer 210 executes the client-side authentication algorithm52 and generates the prompt 82 for the random subject matter 34 (asearlier paragraphs explained). Here, though, instead of drawing therandom subject matter 34, the user arranges the building blocks 216 intothe physical model 218 of the random subject matter 34. The client-sideauthentication algorithm 52 causes the internal camera 220 to capture adigital image of the user's physical model 218 of the random subjectmatter 34.

A comparison is then made. Because the user arranges the building blocks216, here the client-side authentication algorithm 52 generates atwo-dimensional or three-dimensional model 222 of the random subjectmatter 34. The model 222 is generated using the user's constructionskills 224 learned over time. The user's construction skills 224 arelearned from the learning session 70 as earlier explained, but here theuser is repeatedly prompted to build two-dimensional and/orthree-dimensional models of different random subject matter 34. If theauthenticating user is truly who she purports to be, then exemplaryembodiments may predict how she will arrange the building blocks 216into the random subject matter 34. If the images and/or locations of theuser's physical model 218 (built atop the interactive display 212)matches the model 222 generated using the user's construction skills224, then the user may be authenticated.

FIG. 27 is a schematic illustrating gesture-based authentication,according to exemplary embodiments. When the user wishes toauthenticate, here the user may be prompted to perform some physicalgesture 230 that matches the random subject matter 34. The randomsubject matter 34, for example, may be “fly buzzing.” The user wouldthen be prompted (via the prompt 82) to perform the physical gesture 230of a “fly buzzing.” The client device 20 interfaces with an imagingsystem 232 (such as a digital camera) to capture video data 234 of theuser performing her physical interpretation of a “fly buzzing.”Exemplary embodiments may then compare the video data 234 to a gesturemodel 236 learned over time from gesture skills 238. The learningsession 70, for example, may cyclically prompt the user to performvarious gestures, and the user's physical interpretations are analyzedto develop the gesture skills 238. Whenever the user wishes toauthenticate, the user's gesture skills 238 may be used to generate thegesture model 236 of the random subject matter 34. If the authenticatinguser is truly who she purports to be, then exemplary embodiments maypredict how she will physically interpret the random subject matter 34.If the video data 234 matches the gesture model 236, then the user maybe authenticated.

FIGS. 28-30 are flowcharts illustrating a method or algorithm forauthenticating users, according to exemplary embodiments. A user isprompted to provide an input (Block 250). The user's input is received(Block 252) and analyzed for the user's skills (Block 254). Thislearning session 70 is repeated to learn the user's skills (Block 216).When the user wishes to authenticate (Block 258), the random subjectmatter 34 is retrieved (Block 260). The random subject matter 34 iscompared to the user's skills (Block 262).

The algorithm continues with FIG. 29. If the random subject matter 34 istoo complicated for the user's skills (Block 264), then the randomsubject matter 34 may be rejected (Block 266) and different subjectmatter is selected (see Block 260 of FIG. 28). The user is prompted tointerpret the random subject matter 34 (Block 268). The user's input isreceived (Block 270). A model of the random subject matter 34 isgenerated using the skills (Block 272). The user's interpretation of therandom subject matter 34 is compared to the model of the random subjectmatter 34 generated from the skills (Block 274).

The algorithm continues with FIG. 30. If the user's interpretationmatches the model (Block 276), then the user may be authenticated (Block278). If the user's interpretation fails to match the model (Block 276),then authentication may be denied (Block 280).

FIG. 31 is a schematic illustrating still more exemplary embodiments.FIG. 31 is a more detailed diagram illustrating a processor-controlleddevice 300. As earlier paragraphs explained, the client-sideauthentication algorithm 52 and/or the server-side authenticationalgorithm 62 may operate in any processor-controlled device. FIG. 31,then, illustrates the client-side authentication algorithm 52 and/or theserver-side authentication algorithm 62 stored in a memory subsystem ofthe processor-controlled device 300. One or more processors communicatewith the memory subsystem and execute either or both applications.Because the processor-controlled device 300 is well-known to those ofordinary skill in the art, no further explanation is needed.

FIG. 32 depicts still more operating environments for additional aspectsof the exemplary embodiments. FIG. 32 illustrates that the exemplaryembodiments may alternatively or additionally operate within otherprocessor-controlled devices 300. FIG. 32, for example, illustrates thatthe client-side authentication algorithm 52 and/or the server-sideauthentication algorithm 62 may entirely or partially operate within aset-top box (“STB”) (302), a personal/digital video recorder (PVR/DVR)304, personal digital assistant (PDA) 306, a Global Positioning System(GPS) device 308, an interactive television 310, an Internet Protocol(IP) phone 312, a pager 314, a cellular/satellite phone 316, or anycomputer system, communications device, or any processor-controlleddevice utilizing a digital signal processor (DP/DSP) 318. Theprocessor-controlled device 300 may also include watches, radios,vehicle electronics, clocks, printers, gateways, mobile/implantablemedical devices, and other apparatuses and systems. Because thearchitecture and operating principles of the variousprocessor-controlled devices 300 are well known, the hardware andsoftware componentry of the various processor-controlled devices 300 arenot further shown and described.

Exemplary embodiments may be physically embodied on or in acomputer-readable storage medium. This computer-readable medium, forexample, may include CD-ROM, DVD, tape, cassette, floppy disk, opticaldisk, memory card, memory drive, and large-capacity disks. Thiscomputer-readable medium, or media, could be distributed toend-subscribers, licensees, and assignees. A computer program productcomprises processor-executable instructions for authenticating users, asthe above paragraphs explained.

While the exemplary embodiments have been described with respect tovarious features, aspects, and embodiments, those skilled and unskilledin the art will recognize the exemplary embodiments are not so limited.Other variations, modifications, and alternative embodiments may be madewithout departing from the spirit and scope of the exemplaryembodiments.

The invention claimed is:
 1. A method, comprising: receiving, by aprocessor, an electronic request sent from a network address associatedwith a device, the electronic request requesting authentication of auser of the device; querying, by the processor, an electronic databasefor a noun, the electronic database stored in a memory accessible to theprocessor; sending, by the processor, an authentication instruction tothe network address associated with the device, the authenticationinstruction including an electronic prompt to draw subject matterincorporating the noun; receiving, by the processor, an electronicsketch sent from the network address associated with the device, theelectronic sketch describing the subject matter incorporating the noundrawn by the user requesting the authentication; and authenticating, bythe processor, the user based on the electronic sketch of the subjectmatter.
 2. The method of claim 1, further comprising storing anelectronic listing of different noun words in the electronic database.3. The method of claim 2, further comprising randomly selecting an entryin the electronic listing of different noun words.
 4. The method ofclaim 1, further comprising receiving the electronic sketch comprisingtouch screen data, the touch screen data describing the subject matterincorporating the noun drawn by the user requesting the authentication.5. The method of claim 1, further comprising retrieving a sketchingskill.
 6. The method of claim 5, further comprising generating afreehand model of the subject matter incorporating the noun using thesketching skill.
 7. The method of claim 6, further comprising comparingthe freehand model to the electronic sketch.
 8. A system, comprising: aprocessor; and a memory storing instructions that, when executed by theprocessor, cause the processor to perform operations, the operationscomprising: receiving an electronic request sent from a network addressassociated with a device, the electronic request requestingauthentication of a user of the device; querying an electronic databasefor a noun; sending an authentication instruction to the network addressassociated with the device, the authentication instruction including anelectronic prompt to draw subject matter incorporating the noun;receiving an electronic sketch sent from the network address associatedwith the device, the electronic sketch comprising the subject matterincorporating the noun drawn by the user requesting the authentication;and authenticating the user based on the electronic sketch of thesubject matter incorporating the noun.
 9. The system of claim 8, whereinthe operations further comprise storing an electronic listing ofdifferent noun words in the electronic database.
 10. The system of claim9, wherein the operations further comprise randomly selecting an entryin the electronic listing of different noun words.
 11. The system ofclaim 8, wherein the operations further comprise receiving touch screendata representing the subject matter incorporating the noun drawn by theuser requesting the authentication.
 12. The system of claim 8, whereinthe operations further comprise retrieving a sketching skill.
 13. Thesystem of claim 12, wherein the operations further comprise generating afreehand model of the subject matter incorporating the noun using thesketching skill.
 14. The system of claim 13, wherein the operationsfurther comprise comparing the freehand model to the electronic sketch.15. A memory storing instructions that when executed cause a processorto perform operations, the operations comprising: receiving anelectronic request sent from a network address associated with a device,the electronic request requesting authentication of a user of thedevice; querying an electronic database for a noun; sending anauthentication instruction to the network address associated with thedevice, the authentication instruction including an electronic prompt todraw subject matter incorporating the noun; receiving an electronicsketch sent from the network address associated with the device, theelectronic sketch describing the subject matter incorporating the noundrawn by the user requesting the authentication; and authenticating theuser based on the electronic sketch of the subject matter incorporatingthe noun drawn by the user.
 16. The memory of claim 15, wherein theoperations further comprise storing an electronic listing of differentnoun words in the electronic database.
 17. The memory of claim 16,wherein the operations further comprise randomly selecting an entry inthe electronic listing of different noun words.
 18. The memory of claim15, wherein the operations further comprise receiving touch screen datarepresenting the subject matter incorporating the noun drawn by the userrequesting the authentication.
 19. The memory of claim 15, wherein theoperations further comprise retrieving a sketching skill.
 20. The memoryof claim 19, wherein the operations further comprise generating afreehand model of the subject matter incorporating the noun.